Harald,
I am beginning to see what you are doing; through some foggy glasses.
Still need to read more, and today was not a reading day. I am
struggling to understand the attack space.
How can the user submit their cookie over an non-ssl connection when the server redirects everything to https? The only senario I have come up with is with the login screen in front of them, the user changes the method to http, enters in their data and sends?
So I have been running SquirrelMail as a virtual host over https and here the jist of what I have used:
<VirtualHost *:443>
ServerName webmail
ServerAlias webmail.foo.com
SSLEngine On
SSLCertificateFile ...crt
SSLCertificateKeyFile ...key
DocumentRoot /usr/share/squirrelmail
<Directory "/usr/share/squirrelmail">
...
</Directory>
</VirtualHost>
Any connection to http://webmail.foo.com gets returned as https://webmail.foo.com It took a bit of reading to get to this setup.
I will probably have to check with wireshark about what is going on if I change the method to http for any screen and what happens after login.
I do want to run Roundcube as a virtual host.
On 12/27/2012 06:40 PM, Reindl Harald wrote:
Am 28.12.2012 00:24, schrieb Jan M. Dziewulski:
On 27/12/2012 23:17, Robert Moskowitz wrote:
hmmm. Thinking (really!) I should change it back and try https:/.../webmail and see if it works. If it does, I need to add a force redirect to the roundcube.conf. Thinking more, this is reasonable as this is how my current squirrelmail works.
But shouldn't people be accessing it via https anyway? I mean without the need for a redirection? Adding a redirection increases security issues (for your site) so I personally would not be keen to do that
it does not if it is done right
<Directory "roundcube-dir"> php_admin_flag session.cookie_secure "1"
</Directory>
this makes sure that there will NEVER a client send the session cookie unencrypted, if you get a external security audit and do not use tis setting for https sites you will get warned by the auditor and if not he did not make his job!